OEI: Operation Execution Integrity for Embedded Devices

We formulate a new security property, called “Operation Execution Integrity” or OEI, tailored for embedded devices. Inspired by the operation-oriented design of embedded programs and considering the limited hardware capabilities of embedded devices, OEI attestation enables selective and practical verification of both control-flow integrity and critical-variable integrity for an operation being executed. This attestation allows remote verifiers to detect control-flow hijacks as well as data-only attacks, including data-oriented programming, on an embedded device—a capability needed for securing IoT but unachievable using existing methods. We design and build a system, called OAT, to realize and evaluate the idea of OEI attestation on ARM-based baremetal devices. OAT features a highly efficient measurement collection mechanism, a control-flow measurement scheme designed for determinate verifiability, and a method for lightweight variable-integrity checking. When tested against real-world embedded programs on a development board, OAT incurred only a mild runtime overhead (2.7%).